On Tue, 15 Sep 2015, Salvatore Bonaccorso wrote: > CVE-2015-6730[3]: > | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki > | before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows > | remote attackers to inject arbitrary web script or HTML via the f > | parameter, which is not properly handled in an error page, related to > | "ForeignAPI images."
Judging from https://phabricator.wikimedia.org/T97391#1242481 and the last messages in the bugreport, and the lack of mention of this in the git log for the various supported branches, I believe that this particular CVE is still unfixed upstream. Found diffs for the other three, though… bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
